Wireless Access

Hi,

I'm not quite sure if this is even possible.

I tried the defualt firewall policy captive-portal, I tried also to add the rule: user <tunnelled-network> svc-https dst-nat 8081 but none worked.

Thanks

HI,

What exactly you are trying to bring up here? are you planning CP auth with a RAP or something else ?

Please let me know, I can hep you on this.

Hi,

After the user is connected to VPN by VIA, where the VPN is in split-tunnel mode, I want the user to be redirected to ClearPass Onboard page whenever the user tries to browse a corporate resource.

Thanks

HI,

It is possible, you need to map CP policy to the initial role of the User, but once the user is authenticated role will be changed to a different role and further resource accessibility depends on the authenticated role.

I don't think you can enable CP auth when ever user trying to access the Corp resources. generally we allow the Corp resources once the user is authenticated.

Hi,

That's what I tried but it didn't work.

What I meant by corporate resource is when the user is trying to browse any resource that is tunnelled back to the controller by the VPN connection; this is where I want the traffic to be dst-nated, if the user is trying to browse some other website on the Internet, this is not tunnelled and should work.

Currently all that happened except the part where the user should be redirected to specified URL even after mapping the CP profile to the initial role (which is the default guest-logon).

Thanks

,

Where do you want to des NAT the Internet ( Other than the Corporate traffic ) traffic ? you can play around the Split tunnel ACL to achieve this.

1. Let the user get authenticated CP auth and map an authenticated Role

2. Create rule in the split tunnel ACL such that non corporate traffic is NATed .

This is the solution as per my understanding your requirement, if your requirement is different let me now. will try an other solution accordingly.

Where do you want to des NAT the Internet ( Other than the Corporate traffic ) traffic ? you can play around the Split tunnel ACL to achieve this.

1. Let the user get authenticated CP auth and map an authenticated Role

2. Create rule in the split tunnel ACL such that non corporate traffic is NATed .

This is the solution as per my understanding your requirement, if your requirement is different let me now. will try an other solution accordingly.

HI,

As per my understanding, you want to Onboard all the clients those are trying to access the Internet so the solution is simple, during Authentication, instead of redirecting to the CP page, redirect it to the Onboarding page (CPPM server) so that user can finish both Authentication and the Onboarding, once the on boarding is finished we can map the same client to a different role so that user can Access the corp resources accordingly.

To get it done, you should allow HTTP and HTTPS traffic to CPPM server in the policy mapped to the initial role.( add "User <CPPM server IP> HTTPS permit" and "User <CPPM server IP> HTTP permit" to the existing CP policy).

Please let me know if you need some help on Onboarding.

Hi,

Let's forget the onbording and try simplify.

Suppose you got a split-tunnel ssid with default guest-logon as initial user role.

When the user connects, the login page will pop up. Case closed.

But in my case, a VPN user in split-tunnel mode with the guest-logon role, page redirection is not happening.

Thanks for your patience..

Hi,

Ok I got it. as a work around, 

1. Check whether the client is configured with a valid DNS IP 

2. Check the Split tunnel ACL. it sould permit HTTP/HTTPS to the Controller/CPPM. By default Split tunnel ACL will consider the internet traffic as a non corporate traffic and NAT it.

You can easily identify the issue by using "show acl hits" from this out put you can identify whether ACL is blocking the HTTP/HTTPS trffic going to CPPM/Controller.